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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 


of access? 
X Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


The existing guidance and assistance from the ICO officers was very useful in helping us 
deal with the SAR we received, and in particular, guidance on the meaning of ‘personal 
data’. The general support and advice from the ICO office on how to approach the SAR was 
most helpful and greatly appreciated . 


However, it would have also been useful to have been able to look at detailed guidance on 

the meaning of other terms such as ‘excessive’ and to what extent the concept of 

proportionality is relevant ie: 

e What is manageable for a large company may differ from what is manageable for a 

small unincorporated association 
It is unclear whether the nature of the Requestor makes a difference (i.e. a great 
deal of information will be generated by a key officer) 
It isn’t clear whether a refusal to narrow the scope of the material requested (where 
it is voluminous) amounts to making a request excessive, but since the duty in this 
situation is to conduct ‘reasonable searches’ it does seem that a sense of proportion 
should be relevant here 
In the case of the BKA this is not just a question of it being ‘burdensome’ but an 
existential threat to the financial viability of the Association.The cost of reviewing all 
the emails requested to protect its duty to protect the data of 3rd parties would be 
likely to lead to the insolvency of the organisation or unmanageability due to the 
workload on volunteer officers might the request be considered excessive? 


Similarly additional guidance on the meaning of 'manifestly unfounded would be helpful. 


Yes 
No 


xX Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining 'manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


The BKA is committed in principle to transparency of information for members insofar as is 

practicable, and this is reflected throughout its Constitution. However, our experience so far 
of Subject Access Requests was of a request which was unlimited in scope by someone who 
had been a and who refused to give a reason for their request. This generated a 
disproportionate amount of work for officers, but would have been unaffordable to the 


Association if outsourced. 

In our view this request was excessive but we complied fully with it because it was unclear 
to us whether it would be regarded as ‘excessive’ within the meaning of the DPA 
2018/GDPR. 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O Xx] 


Q6 Why have you given this score? 


It would have been much harder to deal appropriately with the subject access request we 
received without being able to refer to the guidance. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
L L] Xx] 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


It would be very helpful to small associations with limited resources, such as ours, if any 
relevant developments in case-law could be reported on the ICO website; it is difficult to 
find any up to date information about the way the courts have interpreted the DPA 2018, 
and the cost of obtaining specialist legal advice on the relevant law would be prohibitive 

in an organisation of our size and nature. 


This may be particularly important post-brexit should the lower courts be given the 
power to depart from ECJ rulings. 

The level of guidance sought is not detailed legal exposition but broad principles which 
might assist us in deciding whether there are reasonable grounds to apply an exemption. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

Xx On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


British Kendo Association 


What sector are you from: 


Unincorporated sporting Association 


Q10 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


Ea. ME E El xk a aa 


Thank you for taking the time to complete the survey. 


